Why doesn't 2FA help MetaMask

Q: A user asks “Why doesn’t MetaMask use two factor authentication to increase security?”

TL;DR:

Two factor authentication (2fa) does not work for MetaMask because MetaMask is non-custodial. This means only you have access to your Secret Recovery Phrase (which controls your assets) and they are not stored in a centralized server.

Your assets live in the blockchain, not inside the wallet. The only way to access these is with your Secret Recovery Phrase. One of MetaMask’s core values is to build the most secure software, and minimize risk for people. A decentralized service for which only you hold the keys to access it is probably one of the most secure use cases to date.

Remember that secret recovery phrases cannot be reset. They are not like passwords. So, if you share these keys with anyone, then that person could take your assets.

Focusing on only 2fa and not securing your Secret Recovery Phrase is like adding a new lock to the front door, but leaving the back door unlocked.

For the best security:

  • Never share your Secret Recovery Phrase (Add link)
  • Use a hardware wallet (link)
  • Use a clean computer for transactions to avoid keyloggers and malware.
  • Do not give too many permissions to a DApp.

Why Two Authentication Does Not Work with MetaMask:

Two factor authentication (2fa) will not protect you when using MetaMask. Why? 2FA is used to authenticate yourself to an external centralized service which stores some sensitive information, say your hosted accounts’ keys. However, with MetaMask you hold the keys, so it doesn’t make sense to authenticate yourself to yourself.

Public blockchains are designed to be decentralized, so no one entity can control it. Each blockchain holds their users’ assets in the same ledger. The ONLY way the assets can be accessed is via your account’s keys created from the Secret Recovery Phrase. The Secret Recovery Phrase cannot be reset and must be kept secret. If your phrase is compromised NO form of authentication will help you. Using your secret recovery phrase or private keys a malicious entity could use another wallet to access your funds.

Note: Your assets do not live in the blockchain wallet, they live on the blockchain. The wallet is just an interface to access and manage your accounts.

Why can’t we reset your Secret Recovery Phrase?
The first reason has to do with how Public Key Encryption works. Public Key Encryption is the technology that already secures your bank accounts and internet purchases. It allows for entities to share secrets in public networks where bad actors could intercept them.

Another reason is due to decentralization. The same way Google Chrome does not control the internet, MetaMask does not control Ethereum. Since Ethereum is decentralized, just like the internet, there isn’t an entity who can “reset” your phrase. MetaMask having the ability to issue passwords that access your assets would centralize control and defeat the purpose of Ethereum.

The downsides of Two Factor Authentication on self custodial wallet:

At best, two factor authentication provides a false sense of security by distracting users from actual things which keep them safe.

At worst, two factor authentication puts users in MORE danger. Say your method of authentication is SMS (text messages), which is very insecure. A hacker could intercept your SMS message using a “man in the middle” attack in various ways. Then the hacker could route you to a fake MetaMask website where they could compromise your accounts.

Two factor authentication can reduce the control you have over your assets. Say you opt for a centralized authenticator app. Such a service creates bottlenecks and could be taken down by hackers.

Why Self Custody?

Not your keys, not your wallet. A centralized exchange is like a large room with a lot of gold. You are trusting their security or them running off with your money. There are plenty of incidents where centralized exchanges have been compromised, either by the hacks or the operators stealing the funds like in Turkey or South Africa.

MetaMask avoids these issues by giving you your keys from the beginning. This prevents you from being censored, stopped from trading, or have your assets confiscated. It also decentralizes the attack vector for hackers to get a bunch of money at one time.

Even The TechnoKing @ElonMusk gets it: